Security News

To exploit the flaws in a real-world attack, all an attacker would need to do is convince a victim to click one malicious link. Security researcher Ryan Pickren has revealed details on seven flaws in Safari, including three that could be used in a kill chain to access victims' webcams.

There's been a bit of a buzz in the news lately over an "Epic new feature" in the next Apple iPad model - the one that's supposed to come out this year. A real-life, break-in-the-wire(ish) microphone switch so that you can be sure that your iPad really isn't recording you while you're in your car or sitting around at home.

One way to ensure this is to update your Apple systems automatically and to have the App Store automatically update your apps as well. I'll explain how to keep iOS and macOS devices and apps up-to-date without lifting a finger when new updates are available.

A white hat hacker says he has earned $75,000 from Apple for reporting several Safari vulnerabilities that can be exploited to hijack the camera and microphone of devices running iOS or macOS. Researcher Ryan Pickren identified a total of seven vulnerabilities in Apple's Safari web browser, three of which can be exploited to spy on users through the camera and microphone of their iPhone, iPad or Mac computer. Apple patched the vulnerabilities that allow hackers to spy on users in January, while the other flaws were fixed in March.

Apple's latest update to macOS Catalina appears to have broken SSH for some users. The issue is that under Apple's macOS 10.15.4 update, released on March 24, trying to open a SSH connection to a port greater than 8192 using a server name, rather than an IP address, no longer works - for some users at least.

Publicised by ProtonVPN, the issue is a bypass flaw caused by iOS not closing existing connections as it establishes a VPN tunnel, affecting iOS 13.3.1 as well as the latest version. A VPN app should open a private connection to a dedicated server through which all internet traffic from the device is routed before being forwarded to the website or service someone is accessing.

Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device's IP address, exposing it for a limited window of time. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel," researchers explained in a technical analysis of the flaw.

"The long wait is over," Apple WebKit engineer John Wilander announced on Tuesday: the latest update to the Safari browser is blocking third-party cookies by default for all users. We've added so many restrictions to ITP since its initial release in 2017 that we are now at a place where most third-party cookies are already blocked in Safari.

Apple this week announced that third-party cookies are now blocked by default in Safari on macOS, iOS and iPadOS. The feature represents the latest enhancement the Cupertino-based company brought to its Intelligent Tracking Prevention and is meant to improve the privacy of its users by removing previously accepted exceptions. Due to continuous improvements made to ITP, most third-party cookies were already blocked in Safari, but other browser makers are also moving toward blocking cookies by default, and Apple decided to make the final step before others.

If you haven't yet opted for automatic Apple security updates, it's time to update your iDevices and software again. The security update for Xcode - an integrated development environment for macOS containing a suite of software development tools developed by Apple for developing software for macOS, iOS, iPadOS, watchOS, and tvOS - offers no details about fixed security issues.